Do not rate-limit or throttle requests from Cloudflare IP addresses

Cloudflare acts as a reverse proxy so all connections come from one of our IPs. It is important to ensure that your server accepts connections from Cloudflare at all times. Cloudflare IP ranges are listed at https://www.cloudflare.com/ips and that page includes links to simple text files intended for machine parsing.

Cloudflare will add any new ranges to the public list at least one month before the new range is used, and will use many methods to publicize any new ranges.

Make sure you are seeing original visitor IP addresses in your logs

Cloudflare operates as a reverse proxy, so requests to your server(s) are made from our global network. The requests will therefore come from Cloudflare IP addresses (see above), but Cloudflare always includes the original visitor IP address in the request, as an HTTP header. Learn more...

Cloudflare offers several tools, such as mod_cloudflare for Apache webservers, for pulling the original visitor IP address from the header. See the full list of methods.

Remove all DNS records you are not using

Cloudflare provides authoritative DNS service to its direct customers.

If you’ve enabled Cloudflare via a hosting partner or CNAME, then your DNS is controlled elsewhere, and this only applies for those records delegated to Cloudflare.

Within the Cloudflare DNS Settings, you have a choice of enabling Cloudflare security and acceleration and other services on a per-record basis. Security is ON when the cloud is orange. Some services will add default records whether you use them or not, such as webmail, FTP or wildcards.

Note: Protocols like mail, ftp, ssh and cPanel have gray clouds by default. If you enable Cloudflare for these subdomains, the protocols will no longer work. However, if you have gray clouds, then an attacker can look up your origin server IP if they know about these subdomains. If you are concerned about security, then you can enable orange clouds for the subdomains and use the direct IP. For example, to FTP you would use ftp.example.com for ftp://yourserverip.

If there is no cloud, the record cannot be proxied, but that means it’s pointing to another service, so should not be a concern.

Run email on separate server/service

If you are running your mail on the same server as your website, then the attacker can always find your origin server IP. To close this possible security gap, you can use an email service on a separate server than your website, whether through your hosting provider or an outside service (e.g., Google Apps).

For Mac users:

You can run this command in Terminal to see what IP is being reported with your MX records:

dig +short $(dig mx +short WEBSITE)

For example, if I was concerned about example.com, I would enter:

dig +short $(dig mx +short example.com)

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

For PC users:

You can run this command in command prompt to see what IP is being reported with your MX records:

nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter:

nslookup -q=mx example.com

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

Customize the challenge page

All paid customers can fully modify the entire HTML page, using the Custom Errors feature within their Cloudflare Settings.

While the security works whether the page is customized or not, it’s useful to make that page reflect your brand and site language.

After moving site to Cloudflare, change server IP address(es)

Once you’ve enabled Cloudflare for all web records, Cloudflare helps mask the server IP address(es)—especially if you’ve followed the steps above about removing unused records and keeping email on a separate server.

As an extra security measure, you may contact your hosting provider and ask them to change your web server IP address to something new. Note: this task is rarely automatic, and may incur a charge, so discuss with your hosting provider, based on the risk of attack on your site.

Utilise Rate Limiting to Prevent Brute Force and Layer 7 DDoS Attacks

Brute Force Attacks - which utilise bots to automatically try combinations of generated usernames and passwords, until a legitimate administrative account is found and the account is comprimised

Layer 7 DDoS Attacks - where web server capacity is limited, and attacks are disguised to look as normal HTTP requests, it can be easily possible to overwhelm a website with traffic that may seem small for a higher volume site with more resources. Rate Limiting allows website administrators to specify fine-grained thresholds as to the load they expect their web server to receive

Self-serve plans include 10,000 free requests per month. Please see the following knowledge base article for more information or to learn about set-up: Cloudflare Rate Limiting.

Check WAF settings

No matter how well patched or updated a dynamic website is, there can always be new vulnerabilities around the corner. Cloudflare's Web Application Firewall can help you filter malicious HTTP and HTTPS requests to block common threats such as SQL Injection, XSS Attacks and Remote Code Execution Exploits. As Cloudflare's network handles significant traffic, we are able to identify new attack patterns and create new WAF rules accordingly - protecting all WAF customers from potential vulnerabilities.